Software Requirements

Software prerequisites for the protector deployment.

Ensure that the following prerequisites are met for deploying the Application Protector Java Container package ApplicationProtector_RHUBI-9-64_x86-64_Generic.K8S.JRE-<JRE_Version>_<Version>.tgz.

ESA prerequisites

  • Policy – Ensure that you have defined the security policy in the ESA. For more information about defining a security policy, refer to the section Policy Management.

  • Datastore - Attach the policy to the default datastore in the ESA or to a range of allowed servers that are added to a datastore.

    The IP address range of the allowed servers must be the same as that of the nodes in the Kubernetes cluster where the Application Protector Java Containers are deployed.

For more information about datastores, refer to the section Data Stores.

  • ESA user - Create an ESA user that will be used to invoke the RPS REST API for retrieving the security policy and the certificates from the ESA. Ensure that the user is assigned the Export Resilient Package role. This user is used to export the policy in a static-based deployment.

    For more information about assigning roles, refer to the section Managing Roles.

Jump Box Configuration

The Linux instance or the Jump Box can be used to communicate with the Kubernetes cluster. This instance can be on-premise or on AWS. The Jump Box instance is used to execute all the deployment-related commands.

Ensure that the following prerequisites are installed on the Jump Box:

  • Helm, which is used as the package manager for all the applications.
  • Docker to communicate with the Container Registry, where you want to upload the Docker images.
  • eksctl, which is a CLI utility to communicate with Amazon EKS.

Cloud or AWS prerequisites

You need access to an AWS account. You also need access to the following AWS resources.

  • AWS Elastic File System (EFS) - if you want to upload the policy package to AWS EFS instead of AWS S3. You require both read and write permissions. This is required for static-based deployment.
    • Install the latest version of the EFS-CSI driver, which is required if you are using AWS EFS as the persistent volume. This is required for static-based deployment.

For more information about installing the EFS-CSI driver, refer to the Amazon EFS CSI driver documentation.

  • AWS S3 - if you want to use AWS S3 for storing the policy snapshot, instead of AWS EFS. You require both read and write permissions. This is required for static-based deployment.

    For more information about the AWS S3-specific permissions, refer to the API Reference document for AWS S3.

  • IAM User - Required to create the Kubernetes cluster. This user requires the following permissions:

    • AmazonEC2FullAccess - This is a managed policy by AWS

    • AmazonEKSClusterPolicy - This is a managed policy by AWS

    • AmazonEKSServicePolicy - This is a managed policy by AWS

    • AWSCloudFormationFullAccess - This is a managed policy by AWS

    • Custom policy that allows the user to perform the following actions:

      • Create a new role and an instance profile.
      • Retrieve information about a role and an instance profile.
      • Attach a policy to the specified IAM role.

      The following actions must be permitted on the IAM service:

      • GetInstanceProfile
      • GetRole
      • AddRoleToInstanceProfile
      • CreateInstanceProfile
      • CreateRole
      • PassRole
      • AttachRolePolicy

    • Custom policy that allows the user to perform the following actions:

      • Delete a role and an instance profile.
      • Detach a policy from a specified role.
      • Delete a policy from the specified role.
      • Remove an IAM role from the specified EC2 instance profile.

      The following actions must be permitted on the IAM service:

      • GetOpenIDConnectProvider
      • CreateOpenIDConnectProvider
      • DeleteInstanceProfile
      • DeleteRole
      • RemoveRoleFromInstanceProfile
      • DeleteRolePolicy
      • DetachRolePolicy
      • PutRolePolicy

    • Custom policy that allows the user to manage EKS clusters. The following actions must be permitted on the EKS service:

      • ListClusters
      • ListNodegroups
      • ListTagsForResource
      • ListUpdates
      • DescribeCluster
      • DescribeNodegroup
      • DescribeUpdate
      • CreateCluster
      • CreateNodegroup
      • DeleteCluster
      • DeleteNodegroup
      • UpdateClusterConfig
      • UpdateClusterVersion
      • UpdateNodegroupConfig
      • UpdateNodegroupVersion

    For more information about creating an IAM user, refer to the section Creating an IAM User in Your AWS Account in the AWS documentation. Contact your system administrator for creating the IAM users.

    For more information about the EKS-specific permissions, refer to the API Reference document for Amazon EKS.

  • Access to AWS Elastic Container Registry (ECR) to upload the Container images.

  • Access to Route53 for mapping the hostname of the Elastic Load Balancer to a DNS entry in the Amazon Route53 service. This is required if you are terminating the TLS connection from the client application on the Load Balancer.

  • Access to AWS KMS. This is required for static-based deployment.


Last modified : January 17, 2026